Skip to content

Releases: ashhem/CodeScanUtil

v1.5.0

10 Apr 07:18
@ashhem ashhem
v1.5.0
e72dce6

Choose a tag to compare

View all tags
v1.5.0 Latest
Latest

v1.5.0 — Added basic SQL Quality Analysis

Adds SQL performance anti-pattern detection with 2 new rules, reported in a dedicated section separate from security findings.

What's New

SQL Quality Rules

  • CX-SQLQ-001 — SQL Anti-Patterns: Detects common SQL anti-patterns in query strings:

    • SELECT * — fetches unnecessary columns
    • UPDATE/DELETE without WHERE — modifies/deletes all rows
    • LIKE with leading wildcard ('%...') — prevents index usage
    • ORDER BY without LIMIT — sorts entire result set
    • SELECT DISTINCT — often hides a bad JOIN
    • OR in WHERE clause — may prevent index usage

  • CX-SQLQ-002 — Inefficient Data Access: Detects Java-level data access anti-patterns:

    • N+1 queries — executeQuery()/findById() inside loops
    • findAll() + stream().filter() — fetches all then filters in Java
    • @OneToMany(fetch = EAGER) — loads entire related collection on every query
    • Unbounded queries — SELECT without LIMIT or WHERE

Report Changes

  • New SQL Quality section in the HTML report, separate from SAST security findings
  • Uses "Current Pattern" / "Recommended" labels instead of "Vulnerable Pattern" / "Secure Alternative"

Rule Summary

Category Count
Security (SAST) 14
SQL Quality 2 (new)
Total 16

Quick Start

Download codescanutil-1.5.0.jar from the assets below, then:

java -jar codescanutil-1.5.0.jar /path/to/your/java/project

SQL quality rules run automatically — no additional flags needed.

Requirements

  • Java 17+
Assets 3
Loading

v1.0.0 — Initial Release

09 Apr 21:34
@ashhem ashhem
v1.0.0
dc30ba1

Choose a tag to compare

View all tags
v1.0.0 — Initial Release

First release of CodeScanUtil, a CLI tool that scans Java source code for common security vulnerabilities and generates a self-contained HTML report.

Highlights

  • 14 SAST rules covering SQL Injection, XSS, Path Traversal, Log Injection, Hardcoded Credentials, CSRF, Insecure Deserialization, Command Injection, Open Redirect, Weak Cryptography, SSRF, Exception Handling, Hardcoded Environment Config, and Information Exposure
  • 9 of 10 OWASP Top 10:2025 categories covered
  • Dependency license checking — automatically scans pom.xml dependencies for non-permissive licenses (GPL, AGPL, SSPL) using local Maven cache
  • Online vulnerability scanning (--online) — queries OSV.dev (free, no API key) and optionally NVD for known CVEs in dependencies, with fix version recommendations
  • Self-contained HTML report — scan summary, severity dashboard, sortable findings table with expandable code context and secure alternatives, dependency license table, dependency vulnerability table
  • Configurable sensitive terms — flag organization-specific names, internal domains, and project codenames via .codescanutil-sensitive-terms.txt with wildcard support
  • Fully offline by default — no internet required for SAST scanning and license checking. Online mode is opt-in via --online
  • Zero findings on self-scan — the tool passes its own scan at all severity levels

Quick Start

Download codescanutil-1.0.0.jar from the assets below, then:

Scan a project

java -jar codescanutil-1.0.0.jar /path/to/your/java/project

With online dependency vulnerability scanning

java -jar codescanutil-1.0.0.jar /path/to/your/java/project --online

Requirements

Java 17+

Assets

codescanutil-1.0.0.jar — fat JAR, ready to run (no installation needed)
Source code (zip/tar.gz) — build with mvn clean package

Loading